Meet the Puzzle Mastermind Who Designs Def Con’s Hackable Badges

Badge master Ryan Clarke (above), aka LostboY and LosT, has been designing the Def Con badges since 2012. This year's badge theme plays off the sic-fi cult classic film They Live about a homeless drifter who stumbles upon a box of mysterious sunglasses that allow him to see aliens in disguise. Conferences attendees will receive red-tinted glasses to help them uncover hidden images and messages, like the one buried in this conference brochure page (at left). Ryan Clarke

LAS VEGAS — Def Con is one of the world’s biggest hacker conventions, an annual gathering of security experts, cryptographers and at least a few people who could surreptitiously drain your bank account if they wanted. They come to Las Vegas to learn about the latest computer vulnerabilities and exploits, show off their skills, and hack or crack anything that can be hacked and cracked—including the conference badges.

Badges for Def Con, now in its 22nd year, are as big a draw as the event itself. Eschewing the traditional laminated cards that other conventions provide, the badges have evolved over the years to become electronic gizmos with circuit boards, LEDs and cryptographic puzzles—all designed to give hackers and crypto-crackers a sandboxed playground to exercise their arts. For several years the badge has also been part of a contest—with the most clever hack of the circuit board winning a coveted black Uber badge and lifetime free admission to the con.

The coveted black Uber badge is given to the winners of the badge challenge and other Def Con contest. Note the Korean writing at the bottom. This and other foreign-language letters and characters on the badges—Chinese, Hebrew, Mongoolian—are part of the puzzle. Ryan Clarke

Clarke took over badge design in 2012 and promptly made mysteries and math the centerpiece. It makes sense, given that he’s a crypto and puzzle master whose day job used to be cryptography. For five years he also ran one of Def Con’s most popular contests—the Mystery Challenge, which involved a lot of crypto and math.

That carried over to the first badges he made in 2012, which had more than 45 puzzles, some of which told the story of a secret crypto society Def Con attendees had to unmask. It took until nine months after the conference for someone to solve the final mystery.

This year, Clarke has packed more than a dozen stages into his challenge, with some involving multiple puzzles that have to be solved before players can advance to the next level. The puzzles lead to other puzzles and clues dispersed throughout the conference on floors and walls. Players need parts of each to arrive at the final solution.

Clarke designs at least seven badges each year—one for vendors, press, goons (conference volunteers), speakers, contest leaders and humans (attendees)—all of which have different puzzles and roles to play in the challenge. He also designs the winning Uber badges awarded to the winners of the various Def Con contests.

Enthusiastic contestants have devoted hours of time to solving his past badge and mystery challenges and have even published web pages chronicling their efforts to crack them.

“I’m kind of like a magician. I have to come up with new tricks every year,” Clarke says. “I’m staying one step ahead of them so far.”

Clarke designs seven badges each year—one for attendees (humans), goons (conference volunteers), vendors, speakers, contest leaders, the press, and the Uber badge. The number “22” on every badge is unique to that badge design; players have to collect each of them to decipher part of a math-based challenge. The lanyards holding the badges also contain puzzles. Ryan Clarke

That’s getting increasingly difficult to do, however. Hardcore players know Clarke’s life inform his puzzles. After he took up the bass guitar last year, for example, music and musical notes appeared in his design. And his Uber badge always includes a skull, a reference to his first Def Con, when he won an embedded devices contest by embedding a web server in a plastic skull.

With that in mind, badge hackers are constantly keeping tabs on him, looking for any tells. They pore over his online life, seeking even the smallest clue. One year while running the Mystery Challenge, Clarke had to change hotel rooms because people were trying to break into his room. There have even been players who resorted to social engineering, contacting his family and friends to artfully solicit details about his background.

“Basically, they were doing all the things you would want to do to hack someone,” Clarke said.

Although the challenge is hard to crack, the central puzzle is designed to be solved before the con ends Sunday. He says it requires a lot of finessing to make something that is solvable in a finite amount of time but still intellectually challenging.

“If you want to be a jerk, you can just encrypt it to make it really hard to break. But then it’s not fun for everyone,” he says. “I have to think, How do I add a flaw to it so it is accessible within a finite amount of time and is still clever and kitschy and fun?”

Anyone who gets truly stumped can ask him for a clue. He’ll be camped out in a room for the duration of the Con. But players have to put in significant effort before he’ll bother answering them.

“Part of the puzzle is figuring out a code word that enables them to ask me questions to get help,” he says. “So if it’s frustrating and they’re ready to give up, if they have that code word they can ask me for help. But they have to do some level of effort to get to the point.”

In the past, players have tried to uncover solutions by doing a data dump from the EEPROM on the badges to search for solutions and hints in the badge’s memory.

“That was a clever hack and I gave people props for doing that,” he says. But to foil them, all the text and clues stored in this year’s EEPROM are encrypted. He inserted a few bits of cleartext, however, that take a playful jab at the cheaters.

The encrypted code decrypts from other code stored in the EEPROM, but he says it will take a lot of effort to uncover it.

A gif made from a video Clarke provided showing the programmable LEDs embedded on the badges. Are the LEDs blinking out a subliminal message? Ryan Clarke

Clarke’s foray into Def Con hacking games began after his first year at the con. He’d come alone and didn’t know what to expect and entered the TCP-IP Embedded Devices challenge on a lark. He participated as a single contestant but beat out competing teams of multiple players to secure the coveted Uber badge his first time out. When he learned the contest wouldn’t be held the following year, he pinged Def Con founder Jeff Moss and offered to run the contest himself. Moss agreed, and Clarke spent six months designing the competition—only to see it cancelled at the last minute due to a communication snafu. Undeterred, he decided to host his own contest anyway—an unofficial, underground Mystery Challenge—which turned out to be a big hit.

“I had a huge showing of people for this contest that was technically not happening,” he says. All of the secrecy around that first challenge has carried over to his subsequent contests and badges. Secrecy and intrigue have always been part of Clarke’s life—his uncle, Floyd Clarke, was deputy director of the FBI during the Clinton administration and was once offered directorship of the CIA, Clarke says, but turned it down.

Since taking over the badges, Clarke has alternated between electronic and conventional badges each year.

The red badge goes to the Def Con goons—the tireless volunteers who keep the entire con and the Def Con network running and secure. Ryan Clarke

Last year, he went old school with a simple plastic badge that was designed with a blackjack theme, to play off Def Con’s 21st year. Each of the seven badge designs was patterned after a card in a poker deck. Only the Uber badge departed from the theme, with an intricate steampunk design and actual mechanical clockwork embedded in the badge.

He’s back to electronics for 2014, with a badge that features a circuit board and several LEDs. Buried within it, however, are crypto-puzzles, electronic Easter eggs, and a backstory about things that aren’t what they seem. The underlying theme riffs on John Carpenter’s 1988 sci-fi cult classic They Live about a shaggy-haired drifter named John Nada who stumbles upon a box of mysterious sunglasses. The glasses allow him to see what others cannot: That an alien race, disguised as the ruling classes, has taken over the world to broadcast subliminal media messages to distract the masses—“Consume!” “Marry!” “Reproduce!” “Sleep!”—while they strip the Earth of its resources.

“You need special glasses or you can’t see the aliens’ true form, and throughout the movie there are things you can only see if you have the glasses,” Clarke notes.

Likewise, every Def Con attendee will get a pair of red-tinted glasses that will allow them to see hidden images and messages in the conference brochure and throughout the conference halls.

The Human badge goes to regular attendees. “Do Not Obey” is Clarke’s subversive counter message to the subliminal messages the aliens in the film They Live broadcast through the media to keep Earthlings in line. Clarke has designed more than four versions of the human badges—knowing how many variations exist is something players have to determine. Ryan Clarke

Clarke has designed the badges to be used long after the conference ends. The circuit board, for example, has signal traces—wires printed on the board—that can be used to control micro-controllers. This year’s badge, along with the 2012 badge, can be used to do end-to-end encryption on computers to hide communication from the NSA. A Def Con talk that Clarke is presenting with colleagues” will show how the two-badge hack works.

Clarke has found that each year the biggest mistake players make in trying to crack his challenge is over-thinking and over-engineering solutions. Clarke likes to play with them by giving some puzzles an easy solution, which contestants are often too quick to reject. Other puzzles can be decrypted in multiple ways, leaving players to determine which is correct. To help and confound them, Clarke tweets a hint every few hours to nudge people along if he thinks the crowd is getting stuck. But if everyone seems to be progressing too well, he may tweet a red herring to trip them up. After all, he wants people to solve his puzzles. He just doesn’t want them to do it too quickly.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.